Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16000
HistoryFeb 08, 2007 - 12:00 a.m.

Ability to inject and execute any code as root in SysCP

2007-02-0800:00:00
vulners.com
50
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                  The System Control Panel
                       www.SysCP.org

                  -= Security Advisory =-


 Advisory: Ability to inject and execute any code as root in SysCP

Release Date: 2007/02/02
Last Modified: 2007/02/07
Author: Florian Lippert <[email protected]>
Application: SysCP <= 1.2.15
Severity: Arbitrary code execution
Risk: Critical
Status: Patch and new release provided

Overview:

SysCP, the System Control Panel is a server administration tool
which enables an internet service provider to give their customers
a web-based application to administrate their email addresses,
their subdomains etc.
Two security issues, both making a remote code execution possible,
were discovered recently:
1) Within the panel, a customer can inject any malicious code which will
be executed by the cronjob, which runs as super user. This security
issue was discovered by Daniel Schulte <[email protected]> and only
affects SysCP 1.2.15
2) With having access to the syscp-database one could insert any file to
be executed into panel_cronscript table. This security issue was
discovered by Martin Burchert <[email protected]> and affects all
SysCP releases from 1.2.3 up to 1.2.15.

Details:

1) It's possible for a customer to create a directory-structure like
"; cp /var/www/syscp/lib/userdata.inc.php /var/kunden/webs/web1/; ls "
inside his homedir. If the customer tries to protect this directory with
the control panel, the cronscript will execute this command as root and
the customer has the MySQL-root-password inside his ftp-directory.
2) If an attacker has access to the database he could add any php file to
the table 'panel_cronscript', for example one that he uploaded into his
dir and which adds a new root-user or installs a backdor etc. Due to not
validating or restricting the files which are "include_onced" on
scripts/cronscript.php, line 139 (as of SysCP 1.2.15) this file will be
executed as the user which also executes the cronscript, normally root.

Recommendation:

For security issue #1 patch your installation with the provided patch
(http://files.syscp.org/misc/syscp-1.2.15s.patch&#41; or upgrade to
SysCP 1.2.16, which fixes both security issues.

GPG-Key:
pub 1024D/5B97D56B 2007-02-07 Florian Lippert <[email protected]>
Fingerprint: D974 4762 7993 A16E 4249 7BD5 61D3 9CEE 5B97 D56B

EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFykJfYdOc7luX1WsRApFVAJ4oAb6sPFmzvUc3dtrtwmfymsW+6wCggQPy
dP3ag9i/r99Yvs7Dk4JNgDI=
=cqyF
-----END PGP SIGNATURE-----

JSON